Why is UIDAI So Confused on Whether Aadhaar Database Was Breached?

(On 15 Jan 2018, The Economic Times published an article by RS Sharma, the first Director General of the UIDAI, claiming that there has been no Aadhaar data breach till date. In this article republished from The Quint’s archives, we explain why the UIDAI is so confused as to whether there has been a data breach or not, and what the truth of the matter is. It was originally published on 9 January 2018.)

The Unique Identification Authority of India (UIDAI) seems terribly confused about whether the Aadhaar database has been breached or not.

On Friday, their response to The Tribune story was, “UIDAI assured that there has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure.”

And then the UIDAI filed an FIR against The Tribune, which claimed that unauthorised persons including The Tribune’s reporter Rachna Khaira “have unauthorisedly accessed the Aadhaar ecosystem in connivance of the criminal conspiracy.”

Dear UIDAI, decide on one version please. Either you admit that there was a data breach or you deny that the Aadhaar database was accessed. How on earth can it be both?

Misreporting or Misuse?

Let’s give you a recap of UIDAI’s contradictory statements.

On Thursday morning, The Tribune published an investigative story that showed that access to the “secure” and “protected” Aadhaar database was being sold for as cheap as 500 rupees.

Within hours, a followup investigation by The Quint showed that it was only the tip of the iceberg.

Not only could ANYONE be added as an admin to the Aadhaar database (with access to the personal information of 119,22,59,062 Indians), any of the admins could make absolutely ANYBODY ELSE an admin of the portal.

The admin doesn’t need to take permission from the government, or anybody else for that matter, to add someone else as an admin. Just type a name (which could be a fake one) and an email address and voila! that individual would be granted access to the entire Aadhaar database.

Did the UIDAI admit the presence of this massive loophole in their security system?

Nope. Their first reaction was to say that The Tribune was “misreporting.”

Two minutes after that, they tweeted that “some persons have misused demographic search facility.” So was it “misreporting” or “misuse”?

Because “misreporting” would mean that The Tribune’s story was wrong, factually incorrect or out of context. But if “misuse” took place, then some wrongdoing was definitely going on.

So which one was it?

No, dear UIDAI, the issue is neither “misreporting” nor that of misuse of “demographic search facility”. Instead, the issue is this: Why were unauthorised individuals getting access to the secure Aadhaar database, and that too so easily?

The Devil is in the Detail

Notice how in their first tweet after the reports were published, the UIDAI cleverly slid in a line about “No biometric data breach”.

Yes, because The Tribune’s story never claimed that there was a biometric data breach. Neither did The Quint’s story ever claim so. But that doesn’t mean that there was no data breach.

As highlighted in The Quint’s report, the data breach pertained to the following personal information of Aadhaar cardholders.

His or her photograph

Full name

Parent’s name

Date of birth

Email address

Mobile number

Gender

Complete residential address

No biometric data was accessed, but a LOT of personal information was at the fingertips of unauthorised individuals with no government credentials whatsoever. Get why we’re worried, UIDAI?

UIDAI vs UIDAI

So essentially, the UIDAI first said it was misreporting. Then they admitted there was misuse. Then, they added yet another twist to their defence/denial/admission/whatever it is.

In a press statement, the UIDAI said, “Mere display of demographic information cannot be misused without biometrics.”

That’s basically the UIDAI saying that random unauthorised people can have your personal information but that’s okay because apparently, it “cannot be misused.”

But wait, if random people can get access to your personal details, including your photograph, your phone number, your residential address, your email id, they can do any number of unfriendly things with that data.

They can use your personal information to stalk you.

They can use the existing information they have about you (which is quite a lot anyway) to gain access to even more information.

The rogue admin could impersonate you or share your details with someone who wishes to do so.

They could print your Aadhaar card and use it to avail benefits in your name.

Not exactly as happy a situation as the UIDAI would want you to believe. Their defence that the data “cannot be misused” seems woefully off the mark.

First the Denial, Then the FIR

And if the UIDAI’s ever-changing standpoint on the issue wasn’t embarrassing enough, they went ahead and registered an FIR naming The Tribune and its reporter Rachna Khaira.

Instead of thanking the reporter for exposing a major flaw in the Aadhaar ecosystem, the UIDAI thought it would be a good idea to try punishing her for doing so.

Eventually, Union Minister Ravi Shankar Prasad had to nudge the UIDAI, asking it to focus on assissting the police in catching the “real offenders” (read: not investigative journalists).

In the FIR, the complainant, B M Patnaik, who works with UIDAI’s logistics and grievance redressal department, states: “An input has been received through The Tribune dated January 3, 2018, that the ‘The Tribune purchased’ a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.”

Report, The Indian Express

It would be natural to assume from the contents of the FIR, a copy of which is with The Quint, that the UIDAI was filing the FIR because it believed that The Tribune’s reporter had accessed “details for any of the more than 1 billion Aadhaar numbers created” so far.

Yet, a letter from the UIDAI to The Tribune paints a picture of another denial rather than admitting that something is wrong with the security of the Aadhaar database.

The UIDAI asked The Tribune, “Whether it was at all possible for your correspondent to view or obtain Fingerprints and Iris scan of any person through the aforesaid access to UIDAI portal?”

The UIDAI further stated, “You are requested to send your response to UIDAI on the sender’s email by 8 January 2018 failing which it will be presumed that there was no access to any Fingerprints and/or Iris scan.”

But the UIDAI very well knew that it was not the biometrics that had been accessed but the personal information (photo, parent’s name, date of birth, email id, mobile number, residential address).

So by asking The Tribune only and specifically about the biometric data and not anything else, the UIDAI ensured that they would only hear what they wanted to.

But does that change the truth about the data breach, its severity and magnitude? Nope.

So why exactly is the UIDAI busy comforting itself with sweet nothings? And worse still, why does the UIDAI still seem confused about whether there has been a data breach at all or not?

The facts are out there, plain and simple. It’s time the UIDAI stopped vacillating from denial to partial admission to denial again, and looked at the facts, admitted the problem and started getting their act together on how to fix it.

As we’ve said before, even relatively unimportant systems have access control via two-stage or three-stage processes, OTPs, biometric checks and the like – but the world’s largest biometric database allows its admins to add others as admins without even a two-step checking process.

Wasn’t putting in a security check before allowing admins to create new admins a common sense move? Why should admins have been ALLOWED to add unknown persons as admins with just a name, an email address and no other check whatsoever?

It’s high time the UIDAI realises that turning a blind eye to the gaping flaws in Aadhaar’s security system won’t plug the holes. If at all, it’ll only continue make a whole gamut of personal information vulnerable.

(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit the Subscribe button.)